What policy wonk wouldn't want to click on an attachment promising to unveil US plans for Venezuela? Chinese cyberspies used just such a lure to target US government agencies and policy-related organizations in a phishing campaign that began just days after an American military operation captured Venezuelan President Nicolás Maduro.
Acronis Threat Research Unit discovered the campaign after finding a zip file named "US now deciding what's next for Venezuela" uploaded in early January to VirusTotal. It contained a legitimate executable and a hidden, DLL-based backdoor called Lotuslite.
This combination, along with other factors such as infrastructure and technical overlaps, helped the security sleuths attribute the phishing campaign with "moderate confidence" to a Beijing-backed espionage crew called Mustang Panda (aka UNC6384, Twill Typhoon).
US law enforcement and cyber agents have tracked Mustang Panda for years, and blamed the snoops for breaking into "numerous government and private organizations" in the US, Europe, and the Indo-Pacific region.
In a Thursday report, Acronis' threat hunters detailed the crew's latest campaign and provided a technical analysis of its new Lotuslite malware. One of the authors, threat intelligence research lead Santiago Pontiroli, said it's unknown if the PRC spies successfully compromised any targeted computers.
"This was a precise, targeted campaign, not a wide-reaching or random attack. The targeting appears selective rather than broad spray and pray," Pontiroli told The Register.
"The threat actor responsible fits into a broader pattern of ongoing cyberespionage activity that is opportunistic and event-responsive rather than static," he added. "In this particular campaign, the threat actor moved fast immediately after Maduro was captured."
Speaking of PRC operatives…
A suspected China-linked group known for targeting US critical infrastructure sectors exploited CVE-2025-53690, a ViewState deserialization zero-day vulnerability in SiteCore products, and used this security hole to gain initial access to victims' environments.
Cisco Talos, which tracks the crew as UAT-8837, assesses "with medium confidence" that the group is a "China-nexus advanced persistent threat (APT) actor."
The September attacks abusing CVE-2025-53690 indicate that "UAT-8837 may have access to zero-day exploits," Talos said in a Thursday report.
Mustang Panda, as with its previous phishing expeditions, aligned its cyber operation with current geopolitical events. In this case, it was Maduro's capture, while earlier campaigns used lures tied to diplomatic conferences and region-specific political events.
"Operationally, Mustang Panda favors medium-complexity, repeatable execution techniques, most notably the extensive use of DLL sideloading to deploy custom implants via benign or trusted executables," the threat research unit wrote.
Additional analysis of the zip archive revealed an executable launcher named "Maduro to be taken to New York" - this turned out to be a renamed launcher binary for a music streaming service owned by Tencent - plus a hidden, malicious DLL called kugou.
Kugou.dll, according to the researchers, turned out to be a never-before-seen backdoor that they named Lotuslite. The custom C++ implant communicates with a hard-coded, IP-based command-and-control server. It establishes persistence on infected machines, performs beaconing tasks and allows operators to steal data from victims' environments. ®
Source: The register